Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
3080
Views
10
Helpful
0
Comments

Debugging FTD Identity-based Policy

Mohammed al Baqari
Level 11
Level 11

on ‎02-07-2021 12:09 AM

 LAB: FMC 6.5 Integrated with ISE 2.4 using PxGrid v1 

 

  • From FMC CLI, verify ISE integration status using the command

root@vFPMC:/etc/rc.d# cat /var/sf/run/adi-health

$status = {

     'ADI' => 'UP',

     'Realm5(AD)_TESTLAB.COM' => 'UP',

     'Realm5(AD)_ldap://192.168.7.100:389' => 'UP',

     'Realm5(AD)_ldap://192.168.7.99:389' => 'UP',

     'Realm5(AD)_ldap://172.16.21.100:389' => 'UP',

     'Realm5(AD)_ldap://172.16.21.99:389' => 'UP',

     'Realm7(AD)_TESTLAB.LOCAL' => 'DOWN', **** ignore this one ****

     'Realm7(AD)_ldap://192.168.7.16:389' => 'DOWN',

     'Realm7(AD)_ldap://172.16.21.15:389' => 'DOWN',

 

     'ISE Services' => 'UP',

     'ISE Identity' => 'UP',

     'ISE Attributes' => 'UP',

     'ISE Remediation' => 'UP',

     'ISE SXP' => 'DISABLED',

 

     'ISEConnection' => 'UP',

     'Session Directory Subscription' => 'UP',

     'Session Directory Bulkdownload' => 'UP',

 

     'Endpoint MetaData Subscription' => 'UP',

     'Endpoint MetaData Bulkdownload' => 'UP',

 

     'SGT MetaData Subscription' => 'UP',

     'SGT MetaData Bulkdownload' => 'UP',

 

     'Endpoint Protection Service Capability' => 'UP',

     'Adaptive Network Control Capability' => 'UP',

 

     'SXP Subscription' => 'UNKNOWN',

     'SXP Bulkdownload' => 'UNKNOWN',

};

 

  • From FMC CLI verify that session updates are received from ISE (this can verified using GUI Analysis > User Activity)

root@vFPMC:/Volume/home/admin# adi_cli session

input 'q' to quit

received realm information: operation REALM_DELETE_ALL, Null realm info

received realm information: operation REALM_ADD, realm name TESTLAB.COM, short name TESTLAB, id 5

received realm information: operation REALM_ADD, realm name TESTLAB.local, short name TESTLAB, id 7

ADI is connected

received user session: username 00:02:99:05:55:51, ip ::ffff:192.168.236.108, location_ip ::ffff:192.168.136.12, realm_id 0, domain , type Add, identity Passive.

received user session: username 00:02:99:12:43:44, ip ::ffff:192.168.126.12, location_ip ::ffff:192.168.126.10, realm_id 0, domain , type Add, identity Passive.

received user session: username 00:02:99:1A:82:E5, ip ::ffff:192.168.134.12, location_ip ::ffff:192.168.134.20, realm_id 0, domain , type Add, identity Passive.

received user session: username 00:04:20:E4:22:51, ip ::ffff:192.168.226.155, location_ip ::ffff:192.168.126.20, realm_id 0, domain , type Add, identity Passive.

received user session: username 00:04:F2:E6:2F:1C, ip ::ffff:192.168.4.52, location_ip ::ffff:192.168.14.10, realm_id 0, domain , type Add, identity Passive.

received user session: username 00:04:F2:F5:9E:CC, ip ::ffff:192.168.126.103, location_ip ::ffff:192.168.126.20, realm_id 0, domain , type Add, identity Passive.

received user session: username 00:04:F2:F5:9E:F6, ip ::ffff:192.168.130.105, location_ip ::ffff:192.168.130.14, realm_id 0, domain , type Add, identity Passive.

received user session: username 00:04:F2:F5:9F:3F, ip ::ffff:192.168.132.119, location_ip ::ffff:192.168.132.10, realm_id 0, domain , type Add, identity Passive.

received user session: username 00:04:F2:F5:AC:BC, ip ::ffff:192.168.123.102, location_ip ::ffff:192.168.123.15, realm_id 0, domain , type Add, identity Passive.

received user session: username 00:04:F2:F5:B6:3D, ip ::ffff:192.168.134.103, location_ip ::ffff:192.168.134.30, realm_id 0, domain , type Add, identity Passive.

received user session: username 00:04:F2:F5:C0:A8, ip ::ffff:192.168.124.108, location_ip ::ffff:192.168.124.12, realm_id 0, domain , type Add, identity Passive.

received user session: username 00:04:F2:F5:EF:A9, ip ::ffff:192.168.4.51, location_ip ::ffff:192.168.14.10, realm_id 0, domain , type Delete, identity Passive

 

  • From FTD CLI, verify the mapping of IP delivered from FMC to FTD using the script user_map_query.pl -i 172.16.20.165 (you can use -u to filter by username instead of IP. Use --help to see all available options)

root@aun-firepower:/home/admin# user_map_query.pl -i 172.16.20.165

 

WARNING: This script was not tested on this major version (6.5.0)! The results may be unexpected.

Current Time: 05/06/2020 06:19:30 UTC

 

Getting information on IP Address(es)...

 

___

IP #1: 172.16.20.165

---

 

==============================

|          Database          |

==============================

 

##) Username (ID) [Realm ID]

 1) testuser (2827) [5]      

      for_policy: 0

      Last Seen: Unknown

      Realm Name: Unknown

 

From above information, we know that the user testuser has a unique identity of 2827 in FTD 

 

  • Use the command cat /ngfw/var/sf/detection_engines/<UUID>/ngfw.rules to verify the ACP rules with identity mapping

# Start of AC rule.

268485640 allow any any  any any 172.16.22.10 32 22 any 6 (group 4)

268485640 allow any any  any any 172.16.22.10 32 any any 1 (group 4)

# End rule 268485640

 

From above info, we know that AD Group is having unique identity in FTD as 4 (in FMC ACP GUI this group is named Network-Admins)

 

  • Use the command system support firewall-engine-dump-user-identity-data to generate a dump file with current identity info on the FTD
  • From expert mode run the command cat /var/sf/detection_engines/<UUID>/instance-1/user_identity.dump to view the dump file

root@aun-firepower:/home/admin# cat /var/sf/detection_engines/2dec3c86-7e22-11ea-9253-e530beb8a2d2/instance-1/user_identity.dump 

 

-------------------

 User/Group counts:

-------------------

     num hosts:                742 

     num groups:               1 

     num user/group mappings:  3 

     num of users:             757 

     num of shared users:      0 

     num skipped:              0 

     num cache misses:         0 

     num cache updates:        0 

 

-------------------

 User/Group mem usage:

-------------------

     group_bit_hash:  32884 

     user_group_hash: 32963 

     host_hash:       360176 

     user_ip_hash:    27252 

     total:           453275 

 

-------------------

 Sxp memory usage:

-------------------

Sxp nodes count: 0

Sxp tree size : 32

 

----------------

IP:USER

----------------

……..

 

Host ::ffff:172.16.20.165

::ffff:172.16.20.165:2827 realm 5 type 1

::ffff:172.16.20.165: sgt id 0, sgt val 0, device_type 1239, location_ip ::ffff:192.168.14.1

 

……

-------------------

USER:GROUPS

-------------------

2198:4, (active_sessions: 1)

2315:4, (active_sessions: 1)

2827:4, (active_sessions: 1)

 

From above info, we know that user testuser with identity 2827 is mapped to group 4 which is assigned to the ACP policy as Network-Admins AD Group

 

  • To understand the identity lookup process on FTD, run the command system support identity-debug

> system support identity-debug

 

Please specify an IP protocol: 

Please specify a client IP address: 172.16.20.165

Please specify a client port: 

Please specify a server IP address: 

Please specify a server port: 

Monitoring identity debug messages

 

172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 Starting authentication (sfAuthCheckRules params) with zones -1 -> -1, port 0 -> 0, geo 16663792 -> 16663810

172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 found passive session

172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 returning passive session

172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 found passive binding for user_id 2827

172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 matched auth rule id = 1 user_id = 2827 realm_id = 5

 

  • When a connection is started, FTD will lookup the identity DB to get the username of the incoming IP, this will be appended to the other packet information(SGT, VLAN, etc) to be looked up against ACP policy. We saw earlier that user 2827 is mapped to AD group 4 which is allowed by the ACP policy.

> system support firewall-engine-debug

 

Please specify an IP protocol: 

Please specify a client IP address: 172.16.20.165

Please specify a client port: 

Please specify a server IP address: 

Please specify a server port: 

Monitoring firewall engine debug messages

 

172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 new firewall session

172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 Starting with minimum 8, 'TEST-MGMT', and IPProto first with zones -1 -> -1, geo 0 -> 0, vlan 0, source sgt type: 0, source sgt tag: 0, ISE sgt id: 0, dest sgt type: 0, ISE dest sgt tag: 0, svc 3501, payload 0, client 2000003501, misc 0, user 2827, icmpType 8, icmpCode 0

172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 rule order 8, 'TEST-MGMT', matched group 4

172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 match rule order 8, 'TEST-MGMT', action Allow

172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 MidRecovery data sent for rule id: 268485640,rule_action:2, rev id:282505566, rule_match flag:0x0

172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 HitCount data sent for rule id: 268485640,

172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 IAB: number=2, load=0.003017

172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 IAB: latency=57

172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 IAB: drops=0.000000

172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 allow action

172.16.20.165-8 > 172.16.22.10-0 1 AS 1 I 0 deleting firewall session flags = 0x800, fwFlags = 0x102

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents